Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

module ignores b64 in the header #36

Open
namrata25 opened this issue Apr 16, 2019 · 1 comment
Open

module ignores b64 in the header #36

namrata25 opened this issue Apr 16, 2019 · 1 comment

Comments

@namrata25
Copy link

Hello,

I am using jws library which internally uses this module and it seems that the signature generated does not meet the specifications.

According to the standards, if I pass b64: false in the header, the signature returned should not be base64Url encoded.

After going through the code of the library, it looks like you are returning base64Url encoded signature irrespective of what is passed in the header.

https://github.com/brianloveswords/node-jwa/blob/master/index.js#L153

Would appreciate your take on this.

Thanks
@panva
Copy link

panva commented Apr 17, 2019
edited
Loading

Hi @namrata25

  1. RFC7797 talks about unencoded payload, not signatures.
  2. "b64": false MUST be accompanied by "crit": ["b64"] in the header. 1, 2
  3. Implementations MUST throw when "crit" members aren't understood by the implementation.

Since this jwa module really only deals with signing and verification of provided inputs what you're asking should be part of the module you're using.

Other JOSE packages, e.g. jose support the RFC7797-defined b64 critical parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@panva @namrata25